ĐARK々MÁTTER•12mo ago

End session endpoint logs out other accounts even though id_token_hint is provided

I am logged in as devaccount and saved the id_token from the token_endpoint in the session. During logout, I am invalidating session and redirecting the user to the zitadel's end session endpoint.

 $query = [
   'id_token_hint' => $idToken, // It is retrieved from the id_token from the zitadel token response
   'client_id' => $zitadelAppClientID,
   'post_logout_redirect_uri' => $postRedirectUri,
   'state' => Str::random(20)
];

header('Location: ' . $zitadelBaseUrl . '/oidc/v1/end_session?' . http_build_query($query));

 $query = [
   'id_token_hint' => $idToken, // It is retrieved from the id_token from the zitadel token response
   'client_id' => $zitadelAppClientID,
   'post_logout_redirect_uri' => $postRedirectUri,
   'state' => Str::random(20)
];

header('Location: ' . $zitadelBaseUrl . '/oidc/v1/end_session?' . http_build_query($query));

Based on the documentation it should logout only the last user and keep other two logged in.

ZITADEL Docs

OpenID Connect 1.0 Discovery

0 Replies

No replies yetBe the first to reply to this messageJoin

End session endpoint logs out other accounts even though id_token_hint is provided

Did you find this page helpful?